Types of Docker Networks - Nikola's Digital Garden

# Types of Docker Networks Docker networks use several different drivers which change the way networks are implemented. You can think of a network's driver as its type. ## `bridge` Networks This is the default driver and also the driver of the default Docker network. It is virtual network with the host's network bridged in. Containers within a bridge network will be isolated from containers that do not belong to that network. 90% of containers will use this driver. ### The Default Bridge Network A default bridge network is created when Docker is installed called `bridge`. If no network is explicitly specified when creating a container, the container is placed into the default network. Unlike with other networks, container DNS is not enabled for the default network, meaning that containers cannot reference other containers by their container name. This does not mean that the containers are isolated, only that IP addresses have to be used to communicate with them. ### Default Project Network in Docker Compose In Docker Compose the default network is never used. Instead, services are assigned the project default network if no network is otherwise specified. ![[Docker Compose#The Default Docker Compose Project Network]] ## The `host` Network In addition to the default bridge network, Docker will automatically create a network called `host` with the `host` driver. Containers connected to `host` will act as if they are applications running on the host. This means you don't have to map any ports, but you don't get any isolation either. This is useful for networking tools like Wireshark. ## `macvlan` Networks `macvlan` networks are used when you want to turn a container into a host peer, from the perspective of network topology. It will get an IP address that is on the same subnet as that of the host. The container will then be accessible from the wider network via its IP address (and not that of the host). It works as if you connected a container directly to the host's network. `macvlan` driver requires you to: - specify the host subnet, - the address of the gateway, and - the name of the host adapter that should be used, using a driver-specific option: `-o parent=<ADAPTER NAME>`. - Containers can be assigned to a specific VLAN, by including its number as part of the parent interface name: `-o parent=<ADAPTER NAME>.<VLAN number>`. Containers must specify their IP address statically, as using the host network DHCP is not supported. Sample Docker Compose config: ```yaml services: homebridge: networks: hades: ipv4_address: 10.78.20.3 mac_address: 02:42:0a:4e:14:03 networks: hades: driver: macvlan driver_opts: parent: eth0.20 ipam: config: - gateway: 10.78.20.1 subnet: 10.78.20.0/24 ``` When using `docker` command directly you have to create a network first and then join it: ``` docker network create -d macvlan \ --subnet=172.16.86.0/24 \ --gateway=172.16.86.1 \ -o parent=eth0 \ my-macvlan-net ``` `docker run --ip <IP_ADDRESS> ...` ### Promiscuous Mode For `macvlan` networks to work the host's network adapter must be placed in promiscuous mode, so that it does not drop packets intended for the container. Additionally, the switch the host is connected to must support having two MAC addresses assigned to the same physical ethernet port. On Linux, you can enable promiscuous mode with: ```shell sudo ip link set <ADAPTER NAME> promisc on ``` ## `ipvlan` L2 Networks `ipvlan` L2 networks are very similar to `macvlan` networks. The only difference is that containers share the MAC address of the host. This means that there's no need to enable promiscuous mode, but will however require the host's switch and router to support handling multiple IPv4 addresses assigned to the same MAC. ## `ipvlan` L3 Networks Whereas with all the previous modes containers were connected to a virtual switch, containers connected to an `ipvlan` L3 network are connected to a virtual router. Instead of specifying the gateway IP, the traffic is piped directly to the parent adapter, and the host's router is expected to deal with it (it's as if the host adapter is a WAN port of the network). Note that this means that any outbound traffic will be correctly routed, but the host router won't know how to route any responses, meaning that you need to configure a custom static route on the host's router, directing any traffic to the Docker subnet to the host IP. The driver used for this network is `ipvlan`, with a special option `-o ipvlan_mode=l3`. Only one L3 network can be defined per adapter, but you can define multiple subnets (which won't mean much because there'll be no isolation between the two subnets within the Docker network). Containers that belong to an L3 network won't be isolated from any other network hosts on the Docker host's network (because all traffic will be routed to the host and the host will forward the traffic).